Sunday, October 23, 2011

I will post a few samples without analysis. This one is CVE-2011-0611 PDF with Taidoor Trojan exploiting Gaddafi's death with outgoing connection to 2.116.180.66 host66-180-static.116-2-b.business.telecomitalia.it

Wednesday, October 19, 2011

We are pleased to introduce DeepEnd Research, an independent
information security research group that will focus on threat and
intelligence analysis. Our emphasis will be on malware, exploit
analysis, botnet tracking, the underground economy and overall
cyberthreats. We will blog about various collection and analysis
techniques, observations, and other areas of interest.

Another
primary goal of DeepEnd Research is to foster collaborative research
and analysis efforts with other security groups and organizations. We
welcome any opportunities or inquiries as to projects involving common
areas of interest.

"Duqu does not contain any code related to industrial control systems
and is primarily a remote access Trojan (RAT). The threat does not
self-replicate. Our telemetry shows the threat was highly targeted
toward a limited number of organizations for their specific assets.
However, it’s possible that other attacks are being conducted against
other organizations in a similar manner with currently undetected
variants.

The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. "

Friday, October 7, 2011

I thought that Russian Matryoshka aka Rustock the Nested Doll would be a good subject after the previous post about Trojan.Matryoshka (Taidoor) analyzed by Jared Myers from CyberESI. Russian rootkit Rustock is as notorious as TDSS or Stuxnet and is very sophisticated. Many researchers made detailed analysis of Rustock and this is why it is a great subject of study. The botnet is down but the malware is here for you to play and try to reverse on your own or following one of the analysis papers posted below.

Thursday, October 6, 2011

Jared Myers from CyberESI posted a fantastic detailed analysis of Taidoor trojan variant he called Trojan. Matryoshka for being just a container/carrier for another malicious file "Trojan.Einstein". See Trojan.Matryoshka and Trojan.Einstein The trojan arrived in a malicious RTF attachment CVE-2010-3333 from a a spoofed address of the National Chengchi University / NCCU of Taiwan. The actual sending host was a server IBM111, which is used by a particular group of attackers and is seen quite frequently. This sample was donated by a reader but I have a lot of IBM111-produced attachments if you are after them.

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.